MEG
From NGSWiki
| Table of contents |
MEG - Myproxy Enabled GSISSHD
What is MEG?
MEG is an enhancement to GSI-OpenSSH that allows users to use *any* SSH client to authenticate and connect to a grid resource. It is based on GSI-OpenSSH v4.7 or later, a custom LinuxPAM module and an external helper script.
How does it work?
The user starts by uploading a proxy certificate (identified by a username + password) to a MyProxy server. Then the user can connect (using a standard SSH client) and supply the aforementioned username/password. MEG uses this to retreive the user's proxy from the MyProxy server, authenticates the user and, if successful, logs him into the resource.
The following diagram is an overview of the login process:
How to get it
* MEG has been tested against RH4 and RH5 systems
The tarball can be downloaded from NescForge:
http://forge.nesc.ac.uk/download.php/494/megsisshd-1.0-1.src.tgz
Configuration
/etc/init.d/megsisshd
Edit this file and set GLOBUS_LOCATION appropriately. You may want to "chkconfig --enable" megsisshd to make it a permanent service (or not).
/etc/ssh/megsisshd_config
This is a standard SSHD configuration file, it's worth checking the options to ensure they meet with your requirements. Note that the default port is 2223, if you change this then you must also change the AUTHPORT value in /etc/auth_myproxy_user.conf.
The *required* options are:
UsePAM yes PermitPAMUserChange yes ChallengeResponseAuthentication no
/etc/auth_myproxy_user.conf
This file controls the behaviour of /usr/sbin/auth_myproxy_user.sh, the script that is used to retrieve and authenticate users against the resource. AUTHHOST and AUTHPORT usually point to the location of megsisshd (which is itself GSI enabled) but can point to another GSI-enabled SSHD server in order to carry out authentication and account mapping.
You can specify a default list of MyProxy servers to try in MYPROXY_SERVER_LIST, and they will be attempted in order until a proxy credential is retreived.
The user can override this setting by providing a MyProxy server as part of the username. E.g. prompted:
login as: kevin@myproxy.ngs.ac.uk
Or from the command line:
$ ssh kevin@myproxy.ngs.ac.uk@ngs.rl.ac.uk
/etc/pam.d/megsisshd
You shouldn't need to change this file. However interested developers can write their own plugins to use the pam_remapuser.so PAM module for remapping supplied usernames to other accounts.
IMPORTANT NOTE:
Because of the way that PAM works, you need to ensure that the filename of the megsisshd binary corresponds to the name of the file under /etc/pam.d. For example, if you rename the binary to 'sshd' then it will use the PAM configuration from '/etc/pam.d/sshd' which is probably not going to work. You almost certainly don't want to share the PAM settings between SSHD and your GSI-Enabled SSHD, so it's best to name your GSI-SSHD something like 'gsisshd' and have appropriate PAM files for it.
List of clients known to work
- OpenSSH (ssh and scp)
- Putty
- WinSCP
- FireFTP Firefox Extension (SFTP mode)
- Konqueror (SFTP mode)
- SSH Secure Shell Client for windows (v3.2.9, also know as SSH Tectia, http://www.ssh.com/)
